Is this port forwarding or something else - SSH

This is a discussion on Is this port forwarding or something else - SSH ; I have a tricky problem... at least to me it seems complicated.
I want to run an rsnapshot backup from one remote host to another.
Rsnapshot uses ssh for networking and has allowance for passing
commands to ssh in its ...

Is this port forwarding or something else

I have a tricky problem... at least to me it seems complicated.
I want to run an rsnapshot backup from one remote host to another.
Rsnapshot uses ssh for networking and has allowance for passing
commands to ssh in its conf file.

In order for this to work, a password has to be given at some point.
If ssh-agent is setup and used to avoid a password still a password or
phrase is needed at some time to start the agent and ssh-add your
key.

If both machines are remote how can this be managed from the local
machine?

I mean, I can setup a forwarded port and talk to the second remote as
if from remote1 with something like:

And if I've setup authorized_keys all around. There will be no login
prompt, using the ssh-agent on localhost.

But then of course the backup data would come to localhost, and it
needs to go to rhost1

So I'm drawing a blank in man ssh as to syntax to get an rsnaphot
backup run between rhost1 and rhost2 using the ssh-agent on locahost?

All these machinations are coming up because I can't think of a way to
automate rsnaphsot backups between rhost1 and rhost2 without having to
login on rhost1 to either run the command or start the ssh-agent and
add the necessary key with ssh-add so a cron job can access the
socket.

I have user privs on rhost1 and rhost2 but root on localhost.
Things could be automated from localhost since I have the agent setup
when X starts. That is, on locahost the ENV variables can always be
acessed by scripting thru cron, since the agent is running and has had
my key added. The socket is available.

So to get to it, is it possible to tell ssh to setup a three way
tunnel and move data from rhost2 to rhost1 using ssh-agent from
localhost? If so does anyone have a stab examples of the requred
syntax?

Re: Is this port forwarding or something else

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

reader@newsguy.com writes:
>All these machinations are coming up because I can't think of a way to
>automate rsnaphsot backups between rhost1 and rhost2 without having to
>login on rhost1 to either run the command or start the ssh-agent and
>add the necessary key with ssh-add so a cron job can access the
>socket.

Why not:

run ssh-agent on your local machine, and add a key there.

ssh into rhost1, using agent forwarding.
from there, run the remote command on rhost2

The agent forwarding should handle your problem for you.
>I have user privs on rhost1 and rhost2 but root on localhost.

This does depend on agent-forwarding being allowed by sshd on rhost1.

Another possibility is to use host-based authentication between
rhost1 and rhost2. That's what I plan to do if I ever get around to
automating my backups. This depends on sshd allowing host-based.

Re: Is this port forwarding or something else

Neil W Rickert writes:
>>All these machinations are coming up because I can't think of a way to
>>automate rsnaphsot backups between rhost1 and rhost2 without having to
>>login on rhost1 to either run the command or start the ssh-agent and
>>add the necessary key with ssh-add so a cron job can access the
>>socket.
>
> Why not:
>
> run ssh-agent on your local machine, and add a key there.
>
> ssh into rhost1, using agent forwarding.
> from there, run the remote command on rhost2

I guess it wasn't clear in OP that I want this automated.
>> I have user privs on rhost1 and rhost2 but root on localhost.
> This does depend on agent-forwarding being allowed by sshd on rhost1.

All subject hosts allow it.
> Another possibility is to use host-based authentication between
> rhost1 and rhost2. That's what I plan to do if I ever get around to
> automating my backups. This depends on sshd allowing host-based.

What do you mean above? Is it something that requres root on remotes?
Is it something you setup once and it can run unattended (from cron).

Re: Is this port forwarding or something else

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

reader@newsguy.com writes:
>Neil W Rickert writes:
>> Another possibility is to use host-based authentication between
>> rhost1 and rhost2. That's what I plan to do if I ever get around to
>> automating my backups. This depends on sshd allowing host-based.
>What do you mean above? Is it something that requres root on remotes?
>Is it something you setup once and it can run unattended (from cron).

I'll assume openssh for ease of discussion.

You will need "sshd_config" to allow host based authentication. That's
the only part that requires root access.

You also need ssh_config to allow host-based. But you can set this
in $HOME/.ssh/config . The host key of each of "rhost1" and "rhost2"
needs to be in $HOME/.ssh/known_hosts on both systems. You also need
an entry in $HOME/.shosts on rhost1 to allow access from rhost2 and
on rhost2 to allow access from rhost1.

You might need to experiment a little to get the hostname that
each knows the other by. Once setup, it should work smoothly.

Relevant entries from my "sshd_config"

# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
RhostsRSAAuthentication yes
# similar for protocol version 2
HostbasedAuthentication yes
# Change to yes if you don't trust ~/.ssh/known_hosts for
# RhostsRSAAuthentication and HostbasedAuthentication
#IgnoreUserKnownHosts no
# Don't read the user's ~/.rhosts and ~/.shosts files
IgnoreRhosts no

Re: Is this port forwarding or something else

Neil W Rickert writes:
> You will need "sshd_config" to allow host based authentication. That's
> the only part that requires root access.

That is the kicker right there. I can't even grep that file.

But is there no way to set up somekind of threeway transfer where
control info comes from localhost using ssh-agent and data info is
moved between the 2 remotes? (A way that does not requre root privs)

As described in OP I can setup simple tunnels from local to either
remote.

So I'm asking how to setup a tunnel between rhost1 rhost2 and talk to
it from localhost.